III. Exploit:Fiyo CMS have five user group (super administrator, administrator, editor, publisher, member) and only three group can access backend page of admin (super administrator, administrator and editor).

Ok, prepare your tool like burpsuite to intercept traffic. in this case I login as editor and I want manipulation of editor group (level=3) to be super administrator group (level=1).A The first you access on menu aEdit Profilea and click aSimpan (Save)a, and then change like this on your burpsuite intercept menu: